DNR manager behind data trolling

Article by: ERIC ROPER

Star Tribune

January 26, 2013 - 8:07 AM

A state agency revealed Friday that an employee who improperly accessed thousands of driver's license records, and ignited calls for stiffer laws, was a manager who oversaw training on how to handle private information.

The Department of Natural Resources said John Hunt, administrative manager of the agency's enforcement division, viewed driver's license data on 5,000 people while off-duty and without a work-related purpose. Altogether, Hunt made about 19,000 queries of the Driver and Vehicle Services (DVS) database over nearly five years -- 11,800 of them while off-duty.

The agency, which had previously declined to release Hunt's name, said Friday that it was performing a "top-to-bottom" review of DNR employee access to DVS data and "redoubling" employee training.

"This employee not only violated the law, but betrayed the trust of the agency, his supervisors, and fellow employees," DNR Commissioner Tom Landwehr said in a statement.

There is no evidence Hunt sold or disclosed the information, but the massive breach spurred lawmakers this week to call for tougher penalties and more disclosure when public employees misuse government data. Two lawsuits, both seeking class-action status, have been filed in federal court by several of the 5,000 people who received data breach letters.

The DVS database, which contains photographs, addresses and driving records on Minnesotans with a license, is protected by state and federal law against illegitimate use. The agency fired Hunt on Jan. 11 and the Duluth city attorney is reviewing the case for possible criminal charges.

Ninety percent of Hunt's queries were for females, the agency said. The lookups included local celebrities, politicians, judges, athletes, television news people, state employees and "victims of various tragedies," according to Hunt's disciplinary letter and an investigative report. Several Star Tribune reporters were among the 5,000 lookups.

Data designee

Ironically, the DNR had designated Hunt to be among those in charge of open records requests and data training. Third-party investigators who examined the misuse noted that Hunt's "responsibilities require him to ensure new DNR enforcement officers complete the DVS data privacy training provided by DNR."

The termination letter said that on one occasion, Hunt made several unauthorized queries "immediately upon leaving" a seminar on law enforcement data practices.

Hunt was an enforcement officer, but his role at the agency was largely administrative. His primary duties, according to the investigatory report, were administrating the agency's fleet program and radio inventory, as well as some human resources functions and equipment purchasing. He handled public requests for records as the data compliance officer.

An 11-year employee of the agency, Hunt would have needed to use DVS records to largely perform background checks on new officer applicants. He would also look up records on people who sent the commissioner a threatening letter, the report said.

An agency spokesman, Chris Niskanen, said DNR officials do not know why Hunt made the lookups. Hunt, 48, did not return a phone message seeking comment.

"This was a single employee," Niskanen said. "We've seen no other trends of employees doing similar things."

Since the breach was discovered, lawmakers have proposed legislation that would impose stiffer penalties on public employees who inappropriately access government data. It would also require agencies to post reports online detailing any investigations that discover data misuse.

"We want to be a part of this public discussion about coming up with a solution," Niskanen said. "And we want to help other agencies who might go through this similar situation because we're angry, we're frustrated, we're disappointed with this employee."

Cashing in

The rush is already on to cash in on this and other data breaches involving driver's license records.

Litigation has become rampant in breach cases, ever since former St. Paul police officer Anne Marie Rasmusson received more than $1 million in settlements from local governments after alleging DVS misuse. That's partly because federal statutes say a court can award minimum damages of $2,500 per violation.

A Washington County man, Jeffrey Ness, filed a federal lawsuit Wednesday against state officials and Hunt -- identified as John Doe -- after learning he was one of 5,000 people whose driver's license data was viewed. The suit, first reported by the Associated Press, seeks class-action status.

Thomas and Richard Whigham of St. Paul and Woodbury, respectively, also filed suit against the DNR on Friday seeking class-action status. The firm representing them is simultaneously pursuing a case against Capital One Bank and a repossession company related to a breach of driver's license records in April 2012. That case is still being reviewed for possible criminal charges.

Meanwhile, an attorney in Mankato is reaching out to victims of the DNR breach asking if they would like to make a claim. A Star Tribune reporter whose data was accessed received a letter in the mail from attorney Scott Kelly with the Farrish Johnson Law Office, which is also pursuing a class-action suit in Rock County over DVS misuse.

"We are looking at other agencies including the DNR where abuses occurred," the letter says. "If you are interested in pursuing a claim or would like information about your rights, please feel free to contact me."

Kelly said Friday that his firm only sent letters to two people in relation to the DNR case.

After reviewing state records and filing open records requests, he believes that a minimum of 18,000 driver records have been breached over the last three years.

"Our intent is that if the Department of Public Safety and these agencies can't control it, that we will do whatever we can to enforce the law," Kelly said.